On my local Macs I use a long time unbound as a local DNS-resolver without forwarding and “qname-minimisation: yes” . Also I got a DNSSEC-Solution by the way!

On my last attempt the to implement a gateway I used IPFirewall (with kernel 2.x tooo slow). They provide unbound by default, but with forwarding. A charming feature is the possibility to block web pages on DNS level and therefore you don’t need a webproxy. To do this I used the script dns-blocklist. shGitHub

Thank you Markus, I will try it in German… Thanks for pointing that out, but it doesn’t do my job.

My idea (if complete subsistence is not possible) would be:

install Unbound

configure unbund on a port other than 53 (e. g. 5353)

in NethServer redirect DNS forwarding to 127.0.01:5353

Would that be possible without a conflict with the Service Manager? dnsmasq would still be able to configure dnsmasq manually. But I don’t know where else Serivce Manager is going.

If this is not really feasible, I tend to forward on a RASPI - that should work, right? I only fear, however, that then continuous DNSSEC validation is not possible, since NethServer does not provide for such a validation. Right?

@capote, you can’t easily remove dnsmasq, but it should be possible to make it work together with unbound.
I think that you could use nethserver-unbound, which will listen on port 10053. You will only need to add a custom template to route all queries from dnsmasq to localhost:10053.
Now, the dnsmasq template routes to 10053 only queries to some domains. See this fragment to get the idea:

Hello, Filippo, thank you. That sounds good, but I’m not familiar with the concept of templates. I must first read the instructions on this subject. I hope I understand that somehow, because it sounds very special, at first sight.

Hello @m.traeumner and @filippo_carletti ,
I wankt to go next steps for prototyping. I want to forward any DNS-requests to my unbound implementation on my RASPBERRY (192.168.2.8)
I understand that I have to define two parts

The expand-template command builds a new config file from “system” templates and custom templates.

If there are for example system tenmplates 10base, 20dns and 30dhcp and so on and you create a custom template 26unbound_rbl, after expanding templates you have a config file with

10base

20dns

26unbound_rbl

30dhcp

If you want to change a value at a system template, for example 20dns, you have to copy it to templates-custom and change values there. At this case the system takes your custom template instead of the system template.

capote:

And how could I roll back if fails?

You only have to delete your custom template and do the expand-template command again.